[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.015912] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.710158] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 20.900657] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.717650] random: sshd: uninitialized urandom read (32 bytes read, 86 bits of entropy available) [ 21.888853] random: sshd: uninitialized urandom read (32 bytes read, 90 bits of entropy available) Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts. [ 27.275582] random: sshd: uninitialized urandom read (32 bytes read, 96 bits of entropy available) executing program [ 27.371626] ================================================================== [ 27.379014] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 27.385651] Read of size 8 at addr ffff8801d2cdf238 by task syzkaller553430/3317 [ 27.393153] [ 27.394753] CPU: 1 PID: 3317 Comm: syzkaller553430 Not tainted 4.4.111-gc2f631b #27 [ 27.402522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.412547] 0000000000000000 55f671aefe2cc737 ffff8801d0e7f8d0 ffffffff81d0513d [ 27.420578] ffffea00074b3780 ffff8801d2cdf238 0000000000000000 ffff8801d2cdf238 [ 27.428563] 0000000000000000 ffff8801d0e7f908 ffffffff814fd433 ffff8801d2cdf238 [ 27.436524] Call Trace: [ 27.439083] [] dump_stack+0xc1/0x124 [ 27.444419] [] print_address_description+0x73/0x260 [ 27.451059] [] kasan_report+0x285/0x370 [ 27.456651] [] ? __lock_acquire+0x387e/0x4b50 [ 27.462763] [] __asan_report_load8_noabort+0x14/0x20 [ 27.469481] [] __lock_acquire+0x387e/0x4b50 [ 27.475419] [] ? __lock_acquire+0xb5f/0x4b50 [ 27.481446] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.488426] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.495419] [] ? mark_held_locks+0xaf/0x100 [ 27.501363] [] lock_acquire+0x15e/0x460 [ 27.506962] [] ? remove_wait_queue+0x14/0x40 [ 27.512991] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 27.519279] [] ? remove_wait_queue+0x14/0x40 [ 27.525323] [] remove_wait_queue+0x14/0x40 [ 27.531178] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 27.538159] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 27.545400] [] ? ep_free+0x1c0/0x1c0 [ 27.550729] [] ep_free+0x93/0x1c0 [ 27.555799] [] ? ep_free+0x1c0/0x1c0 [ 27.561131] [] ep_eventpoll_release+0x44/0x60 [ 27.567243] [] __fput+0x233/0x6d0 [ 27.572315] [] ____fput+0x15/0x20 [ 27.577388] [] task_work_run+0x104/0x180 [ 27.583067] [] do_exit+0x871/0x2a20 [ 27.588313] [] ? release_task+0x1240/0x1240 [ 27.594253] [] ? SyS_epoll_create+0x190/0x190 [ 27.600364] [] do_group_exit+0x108/0x320 [ 27.606055] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 27.612514] [] SyS_exit_group+0x1d/0x20 [ 27.618106] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 27.624648] [ 27.626246] Allocated by task 3317: [ 27.629836] [] save_stack_trace+0x26/0x50 [ 27.635735] [] save_stack+0x43/0xd0 [ 27.641099] [] kasan_kmalloc+0xad/0xe0 [ 27.646726] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 27.653303] [] binder_get_thread+0x181/0x7a0 [ 27.659452] [] binder_poll+0x4a/0x210 [ 27.664985] [] SyS_epoll_ctl+0x10b1/0x2050 [ 27.670952] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 27.677617] [ 27.679214] Freed by task 3317: [ 27.682458] [] save_stack_trace+0x26/0x50 [ 27.688339] [] save_stack+0x43/0xd0 [ 27.693712] [] kasan_slab_free+0x72/0xc0 [ 27.699506] [] kfree+0xfc/0x300 [ 27.704520] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 27.711271] [] binder_thread_release+0x27d/0x540 [ 27.717770] [] binder_ioctl+0xb94/0x12e0 [ 27.723569] [] do_vfs_ioctl+0x7aa/0xee0 [ 27.729281] [] SyS_ioctl+0x8f/0xc0 [ 27.734564] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 27.741227] [ 27.742824] The buggy address belongs to the object at ffff8801d2cdf180 [ 27.742824] which belongs to the cache kmalloc-512 of size 512 [ 27.755444] The buggy address is located 184 bytes inside of [ 27.755444] 512-byte region [ffff8801d2cdf180, ffff8801d2cdf380) [ 27.767283] The buggy address belongs to the page: [ 29.190239] SELinux: Invalid class 45616 [ 29.194495] ------------[ cut here ]------------ [ 29.199217] kernel BUG at security/selinux/avc.c:119! [ 29.201426] PANIC: double fault, error_code: 0x0 [ 29.201433] CPU: 1 PID: 3317 Comm: syzkaller553430 Not tainted 4.4.111-gc2f631b #27 [ 29.201435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.201438] task: ffff8800b5af8000 task.stack: ffff8801d0e78000 [ 29.201450] RIP: 0010:[] [] dump_page_badflags+0x1a/0x250 [ 29.201452] RSP: 0018:ffff880100000000 EFLAGS: 00010086 [ 29.201454] RAX: ffff8800b5af8000 RBX: ffffea00074b3780 RCX: ffffffff8148f980 [ 29.201456] RDX: 0000000000000000 RSI: ffffffff838a8360 RDI: ffffea00074b3780 [ 29.201458] RBP: ffff880100000030 R08: 0000000000000001 R09: 0000000000000000 [ 29.201460] R10: 0000000000000002 R11: fffffbfff0ad781e R12: 0000000000000000 [ 29.201462] R13: ffffffff838a8360 R14: 0000000000000000 R15: 0000000000000000 [ 29.201465] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 29.201468] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.201470] CR2: ffff8800fffffff8 CR3: 000000000420c000 CR4: 0000000000160670 [ 29.201475] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.201476] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.201477] Stack: [ 29.201479] [ 29.201480] Call Trace: [ 29.201482] [ 29.201530] Code: e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 61 06 ed ff 48 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 [ 29.201533] Kernel panic - not syncing: Machine halted. [ 29.350998] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 29.356817] Dumping ftrace buffer: [ 29.360321] (ftrace buffer empty) [ 29.364002] Modules linked in: [ 29.367285] CPU: 0 PID: 1734 Comm: udevd Not tainted 4.4.111-gc2f631b #27 [ 29.374174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.383511] task: ffff8801d39ec740 task.stack: ffff8801d3ac0000 [ 29.389531] RIP: 0010:[] [] avc_audit_pre_callback+0x25f/0x2b0 [ 29.398801] RSP: 0018:ffff8801d3ac73d8 EFLAGS: 00010293 [ 29.404218] RAX: ffff8801d39ec740 RBX: 000000000000b230 RCX: ffffffff81b498ff [ 29.411454] RDX: 0000000000000000 RSI: 000000000000000d RDI: ffff8801d3ac7660 [ 29.418691] RBP: ffff8801d3ac7410 R08: ffffed003a197997 R09: ffffed003a197997 [ 29.425943] R10: 0000000000000001 R11: ffffed003a197996 R12: ffffffff839c6c80 [ 29.433198] R13: 0000000000400000 R14: ffffffff81b492a0 R15: ffffffff81b496a0 [ 29.440447] FS: 00007f9d253337a0(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 29.448651] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.454506] CR2: 0000560de12ea100 CR3: 00000001d3a84000 CR4: 0000000000160670 [ 29.461750] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.468992] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.476231] Stack: [ 29.478352] ffff8801da1e8d20 e80137d79159fab6 1ffff1003a758e88 ffff8801d3ac7790 [ 29.486333] ffff8801da1e8d20 ffffffff81b492a0 ffffffff81b496a0 ffff8801d3ac7610 [ 29.494310] ffffffff81bad398 ffff8801d3ac74a8 0000000000000046 0000000000000000 [ 29.502303] Call Trace: [ 29.504866] [] ? securityfs_remove+0x260/0x260 [ 29.511076] [] ? avc_audit_post_callback+0x400/0x400 [ 29.517801] [] common_lsm_audit+0x128/0x1a40 [ 29.523833] [] ? debug_object_active_state+0xfa/0x420 [ 29.530649] [] ? ipv6_skb_to_auditdata+0xd80/0xd80 [ 29.537198] [] ? debug_object_active_state+0x2b4/0x420 [ 29.544096] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 29.550995] [] ? debug_object_active_state+0x2b4/0x420 [ 29.557894] [] ? debug_object_assert_init+0x360/0x360 [ 29.564705] [] ? check_preemption_disabled+0x3b/0x200 [ 29.571516] [] ? trace_hardirqs_off+0xd/0x10 [ 29.577550] [] ? __call_rcu.constprop.69+0x223/0x930 [ 29.584273] [] ? avc_update_node+0x8e/0xa40 [ 29.590218] [] slow_avc_audit+0x181/0x210 [ 29.595987] [] ? avc_get_hash_stats+0x230/0x230 [ 29.602281] [] audit_inode_permission+0x1ec/0x310 [ 29.608746] [] ? selinux_cred_prepare+0xa0/0xa0 [ 29.615037] [] ? mutex_lock_nested+0x5d4/0x850 [ 29.621242] [] ? mutex_lock_nested+0x560/0x850 [ 29.627447] [] selinux_inode_permission+0x3f0/0x4b0 [ 29.634084] [] ? selinux_bprm_committed_creds+0x440/0x440 [ 29.641245] [] security_inode_permission+0xaf/0xf0 [ 29.647800] [] __inode_permission2+0x93/0x240 [ 29.653919] [] inode_permission2+0x2f/0x100 [ 29.659864] [] link_path_walk+0x8a8/0x16e0 [ 29.665722] [] ? walk_component+0xff0/0xff0 [ 29.671670] [] ? __mutex_init+0xca/0x100 [ 29.677353] [] path_openat+0x22d/0x3b60 [ 29.682949] [] ? path_mountpoint+0x830/0x830 [ 29.688978] [] ? getname_flags+0xcb/0x580 [ 29.694748] [] ? getname+0x19/0x20 [ 29.699912] [] ? do_sys_open+0x205/0x4b0 [ 29.705594] [] ? SyS_open+0x2d/0x40 [ 29.710842] [] ? entry_SYSCALL_64_fastpath+0x16/0x92 [ 29.717568] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 29.724552] [] ? __lock_is_held+0xa1/0xf0 [ 29.730322] [] do_filp_open+0x197/0x290 [ 29.735917] [] ? user_path_mountpoint_at+0x40/0x40 [ 29.742468] [] ? _raw_spin_unlock+0x2c/0x50 [ 29.748411] [] ? __alloc_fd+0x1e3/0x500 [ 29.754007] [] do_sys_open+0x343/0x4b0 [ 29.759518] [] ? filp_open+0x70/0x70 [ 29.764855] [] ? SyS_read+0x1b0/0x1b0 [ 29.770279] [] SyS_open+0x2d/0x40 [ 29.775363] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 29.781910] Code: ea 48 c7 c6 00 6e 9c 83 e8 2f 07 7f ff eb ad e8 98 65 81 ff 48 8b 7d c8 48 c7 c6 40 6d 9c 83 e8 18 07 7f ff eb ab e8 81 65 81 ff <0f> 0b e8 4a 41 9b ff e9 c2 fe ff ff 48 89 df e8 7d 41 9b ff e9 [ 29.808726] RIP [] avc_audit_pre_callback+0x25f/0x2b0 [ 29.815662] RSP [ 29.819675] Dumping ftrace buffer: [ 29.823191] (ftrace buffer empty) [ 29.826869] Kernel Offset: disabled [ 29.830461] Rebooting in 86400 seconds..